b'                                     SOCIAL          SECURITY\nMEMORANDUM\nDate:   February   14,   2001                                                  Refer To:   31045-23-126\n\nTo:     William A. Halter\n        Acting Commissioner\n         of Social Security\n\n\nFrom:   Inspector General\n\n\n\nSubject:The Social Security Administration\'s   Internet Data Collection Activities\n\n\n        The Omnibus Consolidated Appropriations Act (Public Law 106-554) mandates that the\n        Office of the Inspector General provide to the Congress information relating to the\n        Agency\'s activities regarding -\n\n        1 the collection or review of singular data, or the creation of aggregate lists that\n            include personally identifiable information, about individuals who access any Internet\n            site of the department or agency; and\n\n        2. entering into agreements with third parties, including other governmental agencies,\n           to collect, review, or obtain aggregate lists or singular data containing personally\n           identifiable information relating to any individual\'s access or viewing habits for\n           governmental and non-governmental Internet sites.\n\n        The attached report, The Social Security Administration\'s Internet Data Collection\n        Activities, responds to these requirements and is due to the Congress by February 19,\n        2001. If you have any questions or would like to discuss the contents of this document,\n        please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector\n        General for Audit, at (410) 965-9700.\n\n\n\n\n        Attachment\n\x0c                                 Office of the Inspector General\n\n                                      February 20, 2001\n\n\n\n\nThe Honorable Ernest J. Istook, Jr .\nChairman, Subcommittee on Treasury , Postal Service,\n and General Government\nCommittee on Appropriations\nHouse of Representatives\nWashington, D.C. 20515\n\nDear Mr. Istook:\n\nAs required by the Omnibus Consolidated Appropriations Act (Public Law 106-554), the Social\nSecurity Administration\'s Office of the Inspector General is pleased to provide you with the\nrequested information relating to-\n\n1 the collection or review of singular data, or the creation of aggregatelists that include\n    personally identifiable information, about individuals who accessany Internet site of the\n    department or agency; and\n\n2   entering into agreementswith third parties, including other governmental agencies, to collect,\n    review, or obtain aggregate lists or singular data containing personally identifiable information\n    relating to any individual\'s accessor viewing habits for governmental and non-governmental\n    Internet sites.\n\nIn summary, we found that: SSA does collect personal identifiable information about certain web\nsite users, only with the consent of such user, through the use of session cookies and completion\nof forms. SSA has entered into agreementswith third parties that collect and maintain personal\nidentifiable information, but they do not disclose these third party agreementsto web site users.\nThe enclosed report "The Social Security Administration\'s Internet Data Collection Activities"\nprovides the full fmdings of our review. We have sent identical letters to the Honorable Steny\nHoyer, Ranking Minority Member of your Subcommittee and the Chairman and the Ranking\nMinority Member of the SenateSubcommittee on Treasury , Postal Service, and General\nGovernment.\n\n\n\n\n                SOCIAL SECURITY ADMINISTRATION          BAL TIMORE MD 21235-0001\n\x0cPage 2-   The Honorable Ernest J. Istook, Jr.\n\nIf you have any questions or would like to be briefed on this issue, please call me or have your\nstaff contact, Steven L. Schaeffer, Assistant Inspector General for Audit, at 410-965-9700.\n\n                                            Sincerely,\n\n\n\n\n                                            JamesG. Ruse, Jr .\n                                            Inspector General of Social Security\nEnclosure\n\n\n\n\n                                                                                    \'-\'\n\n\x0cAdditional letters sent to:\n\n\nThe Honorable Ben Nighthorse Campbell\n\nChairman, Subcommittee on Treasury, Postal Service,\n\n and General Government\n\nCommittee on Appropriations\n\nUntied States Senate\n\nWashington, D.C. 20510\n\n\nThe Honorable Byron Dorgan\n\nRanking Minority Member\n\nSubcommittee on Treasury, Postal Service\n\n and General Government\n\nCommittee on Appropriations\n\nUnited States Senate\n\nWashington, D.C. 20510\n\n\nThe Honorable Steny Hoyer\n\nRanking Minority Member\n\nSubcommittee on Treasury, Postal Service\n\n and General Government\n\nCommittee on Appropriations\n\nHouse of Representatives\n\nWashington, D.C. 20515\n\n\x0c      CONGRESSIONAL REPORT\n\n\n\n\nTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n\n INTERNET DATA COLLECTION ACTIVITIES\n\n\n\n\n\n            FEBRUARY 2001\n\n\x0c                         BACKGROUND\n\nThe Omnibus Consolidated Appropriations Act (Public Law 106-554) requires that\n\n      \xe2\x80\x9cNot later than 60 days after the date of enactment of this Act, the Inspector\n      General of each department or agency shall submit to Congress a report that\n      discloses any activity of the applicable department or agency relating to\xe2\x80\x94\n\n              (1) the collection or review of singular data, or the creation of aggregate\n      lists that include personally identifiable information, about individuals who access\n      any Internet site of the department or agency; and\n\n            (2) entering into agreements with third parties, including other\n      governmental agencies, to collect, review, or obtain aggregate lists or singular\n      data containing personally identifiable information relating to any individual\xe2\x80\x99s\n      access or viewing habits for governmental and non-governmental Internet sites.\xe2\x80\x9d\n\nIn addition, the Office of Management and Budget (OMB) issued Memorandum M-99-18\n\xe2\x80\x9cPrivacy Policies on Federal Web Sites\xe2\x80\x9d, which directs departments and agencies to\npost clear privacy policies on World Wide Web Sites and provides guidance for doing\nso. The Privacy Act and OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information\nResources\xe2\x80\x9d requires that Federal agencies must protect an individual\xe2\x80\x99s right to privacy\nwhen they collect personal information. Because of this, Memorandum-99-18 directs\nagencies to inform visitors to the site what information the agency collects about\nindividuals, why the agency collects it, and how the agency will use it. Privacy policies\nmust be written in a clear and concise manner and clearly labeled and easily accessed\nwhen someone visits a web site.\n\nFurther, OMB issued Memorandum M-00-13 \xe2\x80\x9cPrivacy Policies and Data Collection on\nFederal Web Sites,\xe2\x80\x9d which discourages the use of \xe2\x80\x9ccookies\xe2\x80\x9d, small bits of software that\nare placed on a web user\xe2\x80\x99s hard drive to track the activities of users to web sites.\nAgencies should not use \xe2\x80\x9ccookies\xe2\x80\x9d at Federal web sites unless, in addition to clear and\nconspicuous notice, the following conditions are met: a compelling need to gather the\ndata on the site, appropriate and publicly disclosed privacy safeguards for handling of\ninformation derived from \xe2\x80\x9ccookies,\xe2\x80\x9d and personal approval by the head of the agency.\nHowever, a letter from OMB\xe2\x80\x99s Administrator Office of Information and Regulatory Affairs\nto the Chief Information Officer of the Department of Commence dated September 5,\n2000, exempts session cookies from M-00-13.\n\nThe SSA provides access to the general public through its Internet address\nwww.ssa.gov. Through this Internet address, the public can, for example, access\n\n\n\n                                            1\n\n\x0cdifferent applications, forms, and information, and apply for retirement benefits, request\na Social Security Statement, and verify benefits.\n\nUpon entering SSA\xe2\x80\x99s Web site, the customer must scroll down to the bottom of the\nwebpage to access SSA\xe2\x80\x99s \xe2\x80\x9cPrivacy Policy\xe2\x80\x9d (See Appendix) through a hyperlink--a\npredefined link from one location to another. When accessed, SSA\xe2\x80\x99s Privacy Policy\ninforms visitors to its web site what information the Agency collects about individuals,\nwhy the Agency collects it, and how the Agency will use the information. The Policy\ndoes not inform visitors what SSA does with reply e-mails individuals send to provide\nfeedback on the web site.\n\n\n\n\n                                             2\n\n\x0c                 RESULTS OF REVIEW\n\nTo comply with the requirements of the Omnibus Consolidated Appropriations Act\n(Public Law 106-554), we performed tests to determine: 1) what personal identifiable\ninformation SSA is collecting from users\xe2\x80\x99 of its web site and 2) if SSA has entered into\nagreements with third parties to collect, review, or obtain aggregate lists or singular data\ncontaining personally identifiable information relating to any individual\xe2\x80\x99s access or\nreviewing habits for governmental and non-governmental Internet sites. We found that\nSSA does collect personal identifiable information of its web site users, with the user\xe2\x80\x99s\nconsent, and in accordance with its Internet Privacy Policy. SSA collects information\nsuch as names, social security numbers, birth dates, e-mail and postal addresses of\nusers that complete application forms online and through the use of session cookies.\nSession cookies are short-lived, used only during the browsing session, and expire\nwhen the user quits the browsing. SSA does not use persistent cookies. Persistent\ncookies specify expiration dates, remain stored on the web user\xe2\x80\x99s computer until they\nexpire, and can be used to track the user\xe2\x80\x99s browsing behavior.\n\nThe personal identifiable information collected is only used to process application\nrequests and to forward updates to frequently asked questions via e-mail to web site\nusers.\n\nSSA has entered into an agreement with the General Services Administration (GSA) to\ncollect e-mail addresses, provided upon web site user\xe2\x80\x99s request for electronic\nsubscriptions to SSA\xe2\x80\x99s E-News, a monthly electronic publication. GSA uses the e-mail\naddresses collected to distribute SSA\xe2\x80\x99s E-News. In addition, SSA has entered into an\nagreement with RightNow Web, an independent contractor, which collects e-mail\naddresses, provided upon web site user\xe2\x80\x99s requests, to allow SSA to provide notification\nof updates to frequently asked questions maintained on its web site. SSA does not\nhave non-disclosure agreements with these third parties. Further SSA does not\ndisclose to its web site users that the e-mail addresses are collected and maintained by\nGSA and RightNow Web as directed by OMB Memorandum M-99-18.\n\n\n\n\n                                             3\n\n\x0c                RECOMMENDATIONS\n\nAs a result of this most recent review and considering the relevant OMB guidance\nreferenced in this report, we will recommend:\n\nSSA rewrite its Internet Privacy Policy based on OMB Guidance M-99-18 and its\nattachments. Specifically, SSA should:\n\n   \xe2\x80\xa2\t adjust the position of its Internet Privacy Policy hyperlink to provide web site\n      users\xe2\x80\x99 clear and prompt access.\n\n   \xe2\x80\xa2   disclose its relationship with GSA and RightNow Web.\n\n   \xe2\x80\xa2\t disclose its policy for maintaining, processing, and disposing of e-mails received\n      from web site users.\n\nFinally, SSA should implement nondisclosure agreements with GSA and RightNow\nWeb.\n\n\n\n\n                                            4\n\n\x0c                                    APPENDIX\n\n                             SSA\xe2\x80\x99s Internet Privacy Policy\n\nThe privacy of our customers has always been of utmost importance to the Social Security Administration.\nIn fact our first regulation, published in 1937, was written and published to ensure your privacy. Our\nconcern for your privacy is no different in the electronic age.\n\nOur Internet Privacy Policy\n    \xe2\x80\xa2    You do not have to give us personal information to visit our site.\n    \xe2\x80\xa2\t   We collect personally identifiable information (name, e-mail address, Social Security number or\n         other unique identifier) only if specifically and knowingly provided by you.\n    \xe2\x80\xa2\t   Personally identifying information you provide will be used only in connection with Social\n         Security Online or for such other purposes as are described at the point of collection.\n    \xe2\x80\xa2\t   Information is collected for statistical purposes and SSA sometimes performs analyses of user\n         behavior in order to measure customer interest in the various areas of our site. We will disclose\n         this information to third parties only in aggregate form.\n    \xe2\x80\xa2    We do not give, sell or transfer any personal information to a third party.\n    \xe2\x80\xa2\t   We only enable "cookies" for our searchable Frequently Asked Questions (FAQ) database (ssa-\n         custhelp.ssa.gov), and then only for the feature that allows you to register to be notified when a\n         question is modified. A cookie is a small piece of text information that is sent to your browser --\n         along with a Web page -- when you access a Web site. Your browser will only return this cookie\n         information to the domain where the cookie originated. No other site can request it.\n\nWhy Does SSA Use Cookies?\nIn the case of our searchable FAQ database, the cookie helps us remember you if you request to be notified\nof a change of a question. If you choose to disable cookies, you may still request that you be notified when\na question is changed, but you will be required to enter your e-mail address for every question you wish to\nbe notified about. The cookie will expire 30 minutes after the last time the cookie was modified. This\nexpiration time does not delete the cookie from your PC, but it does make it invalid and we can no longer\nuse that cookie. No other web site can use this cookie under any circumstances. If you wish to delete this\n(or any cookie), that is a function of your web browser and you should consult the software\'s Help files.\n\x0c'